public async Task ParseKdcProxyMessage_WithoutLength()
{
var req = KrbAsReq.CreateAsReq(
new KerberosPasswordCredential("*****@*****.**", "P@ssw0rd!"),
0
).EncodeApplication();
var domain = "corp.identityintervention.com";
var hint = DcLocatorHint.DS_AVOID_SELF;
var message = KdcProxyMessage.WrapMessage(req, domain, hint, mode: KdcProxyMessageMode.NoPrefix);
var kdc = new KdcServer(new KdcServerOptions {
RealmLocator = realm => new FakeRealmService(realm)
});
var response = await kdc.ProcessMessage(message.Encode());
Assert.IsTrue(response.Length > 0);
Assert.IsFalse(KrbError.CanDecode(response));
var proxy = KdcProxyMessage.Decode(response);
var preAuthReq = KrbError.DecodeApplication(proxy.UnwrapMessage(out KdcProxyMessageMode mode));
Assert.AreEqual(KdcProxyMessageMode.NoPrefix, mode);
Assert.AreEqual(KerberosErrorCode.KDC_ERR_PREAUTH_REQUIRED, preAuthReq.ErrorCode);
}
public void Setup()
{
options = new ListenerOptions
{
DefaultRealm = Realm,
RealmLocator = LocateRealm
};
credential = Creds.GetOrAdd(AlgorithmType, a => new KerberosPasswordCredential(a + user, password));
asReq = KrbAsReq.CreateAsReq(credential, DefaultAuthentication).EncodeApplication();
switch (AlgorithmType)
{
case "RC4":
etype = EncryptionType.RC4_HMAC_NT;
break;
case "AES128":
etype = EncryptionType.AES128_CTS_HMAC_SHA1_96;
break;
case "AES256":
etype = EncryptionType.AES256_CTS_HMAC_SHA1_96;
break;
}
}
public Task Setup()
{
this.Port = new Random().Next(20000, 40000);
var options = new ListenerOptions
{
DefaultRealm = "corp2.identityintervention.com".ToUpper(),
RealmLocator = realm => LocateRealm(realm),
Log = Logger
};
options.Configuration.KdcDefaults.TcpListenBacklog = int.MaxValue;
options.Configuration.KdcDefaults.ReceiveTimeout = TimeSpan.FromSeconds(15);
options.Configuration.KdcDefaults.KdcTcpListenEndpoints.Clear();
options.Configuration.KdcDefaults.KdcTcpListenEndpoints.Add($"127.0.0.1:{this.Port}");
this.listener = new KdcServiceListener(options);
_ = this.listener.Start();
this.credential = Creds.GetOrAdd(this.AlgorithmType, a => new KerberosPasswordCredential(a + this.user, this.password));
this.asReq = new ReadOnlySequence <byte>(KrbAsReq.CreateAsReq(this.credential, DefaultAuthentication).EncodeApplication());
return(Task.CompletedTask);
}
public async Task HttpsTransportReceivesFailure()
{
var transport = new HandledHttpsKerberosTransport(new FailureKdcMessageDelegatingHandler());
var asReq = KrbAsReq.CreateAsReq(new KerberosPasswordCredential(UserUpn, "P@ssw0rd!"), AuthenticationOptions.Forwardable);
await transport.SendMessage <KrbAsRep>("adasdf", asReq.EncodeApplication());
}
public void AsReqRoundtripParse()
{
var creds = new KerberosPasswordCredential("sdfsdfsdf", "sdfsdfsdf", "sdfsdfsdf");
var asReq = KrbAsReq.CreateAsReq(creds, AuthenticationOptions.AllAuthentication);
var encoded = asReq.EncodeApplication();
var decoded = KrbAsReq.DecodeApplication(encoded);
Assert.IsNotNull(decoded);
}
public async Task HttpsTransportReceivesSuccess()
{
var transport = new HandledHttpsKerberosTransport(new SuccessKdcMessageDelegatingHandler());
transport.DomainPaths["adasdf"] = new Uri("https://test.internal/fake");
var asReq = KrbAsReq.CreateAsReq(new KerberosPasswordCredential(UserUpn, "P@ssw0rd!"), AuthenticationOptions.Forwardable);
var response = await transport.SendMessage <KrbAsRep>("adasdf", asReq.EncodeApplication());
Assert.IsNotNull(response);
transport.Dispose();
}
public void AsReqPreAuth_PkinitCertificateAccessible()
{
var credCert = new X509Certificate2(ReadDataFile("testuser.pfx"), "p");
var cred = new TrustedAsymmetricCredential(credCert, "*****@*****.**");
var asReq = KrbAsReq.CreateAsReq(cred, AuthenticationOptions.AllAuthentication);
var handler = new KdcAsReqMessageHandler(
asReq.EncodeApplication(),
new ListenerOptions
{
DefaultRealm = "corp.identityintervention.com",
RealmLocator = realm => new FakeRealmService(realm)
});
handler.PreAuthHandlers[PaDataType.PA_PK_AS_REQ] = service => new PaDataPkAsReqHandler(service)
{
IncludeOption = X509IncludeOption.EndCertOnly
};
var context = new PreAuthenticationContext();
handler.DecodeMessage(context);
handler.ExecutePreValidate(context);
handler.QueryPreValidate(context);
handler.ValidateTicketRequest(context);
handler.QueryPreExecute(context);
handler.ExecuteCore(context);
Assert.AreEqual(PaDataType.PA_PK_AS_REQ, context.ClientAuthority);
Assert.AreEqual(1, context.PreAuthenticationState.Count);
Assert.IsTrue(context.PreAuthenticationState.TryGetValue(PaDataType.PA_PK_AS_REQ, out PaDataState paState));
var state = paState as PkInitState;
Assert.IsNotNull(state);
Assert.IsNotNull(state.ClientCertificate);
Assert.AreEqual(1, state.ClientCertificate.Count);
var clientCert = state.ClientCertificate[0];
Assert.IsFalse(clientCert.HasPrivateKey);
Assert.AreEqual(credCert.Thumbprint, clientCert.Thumbprint);
}
private static KrbAsRep RequestTgt(out KrbEncryptionKey sessionKey)
{
var cred = new KerberosPasswordCredential(Upn, "P@ssw0rd!")
{
// cheating by skipping the initial leg of requesting PA-type
Salts = new[]
{
new KeyValuePair <EncryptionType, string>(
EncryptionType.AES256_CTS_HMAC_SHA1_96,
"*****@*****.**"
)
},
Configuration = Krb5Config.Default()
};
var asReq = KrbAsReq.CreateAsReq(
cred,
AuthenticationOptions.AllAuthentication
);
var handler = new KdcAsReqMessageHandler(asReq.EncodeApplication(), new KdcServerOptions
{
DefaultRealm = Realm,
IsDebug = true,
RealmLocator = realm => new FakeRealmService(realm)
});
handler.PreAuthHandlers[PaDataType.PA_ENC_TIMESTAMP] = service => new PaDataTimestampHandler(service);
var results = handler.Execute();
var decoded = KrbAsRep.DecodeApplication(results);
var decrypted = cred.DecryptKdcRep(
decoded,
KeyUsage.EncAsRepPart,
d => KrbEncAsRepPart.DecodeApplication(d)
);
sessionKey = decrypted.Key;
return(decoded);
}
public Task Setup()
{
Port = new Random().Next(20000, 40000);
var options = new ListenerOptions
{
ListeningOn = new IPEndPoint(IPAddress.Loopback, Port),
DefaultRealm = "corp2.identityintervention.com".ToUpper(),
RealmLocator = realm => LocateRealm(realm),
QueueLength = 10 * 1000,
ReceiveTimeout = TimeSpan.FromMinutes(60),
Log = null
};
listener = new KdcServiceListener(options);
_ = listener.Start();
credential = Creds.GetOrAdd(AlgorithmType, a => new KerberosPasswordCredential(a + user, password));
asReq = new ReadOnlySequence <byte>(KrbAsReq.CreateAsReq(credential, DefaultAuthentication).EncodeApplication());
return(Task.CompletedTask);
}
public static async Task <PingResult> Ping(KerberosCredential credential, Krb5Config config, ILoggerFactory logger = null)
{
credential.Configuration = config;
var asReqMessage = KrbAsReq.CreateAsReq(credential, AuthenticationOptions.Renewable);
var asReq = asReqMessage.EncodeApplication();
var transport = new KerberosTransportSelector(
new IKerberosTransport[]
{
new TcpKerberosTransport(logger),
new UdpKerberosTransport(logger),
new HttpsKerberosTransport(logger)
},
config,
logger
)
{
ConnectTimeout = TimeSpan.FromSeconds(5)
};
var result = new PingResult {
AsReq = asReqMessage
};
try
{
result.AsRep = await transport.SendMessage <KrbAsRep>(credential.Domain, asReq);
}
catch (KerberosProtocolException pex)
{
result.Error = pex.Error;
}
return(result);
}
public async Task ParseKdcProxyMessage()
{
var req = KrbAsReq.CreateAsReq(
new KerberosPasswordCredential("*****@*****.**", "P@ssw0rd!"),
0
).EncodeApplication();
var domain = "corp.identityintervention.com";
var hint = DcLocatorHint.DS_AVOID_SELF;
var messageBytes = new Memory <byte>(new byte[req.Length + 4]);
Endian.ConvertToBigEndian(req.Length, messageBytes.Slice(0, 4));
req.CopyTo(messageBytes.Slice(4, req.Length));
var message = new KdcProxyMessage
{
TargetDomain = domain,
KerbMessage = messageBytes,
DcLocatorHint = hint
};
var kdc = new KdcServer(new ListenerOptions {
RealmLocator = LocateFakeRealm
});
var response = await kdc.ProcessMessage(new ReadOnlySequence <byte>(message.Encode()));
Assert.IsTrue(response.Length > 0);
Assert.IsFalse(KrbError.CanDecode(response));
var proxy = KdcProxyMessage.Decode(response);
var preAuthReq = KrbError.DecodeApplication(proxy.UnwrapMessage());
Assert.AreEqual(KerberosErrorCode.KDC_ERR_PREAUTH_REQUIRED, preAuthReq.ErrorCode);
}
public async Task ProcessAsReq()
{
var requestCounter = 0;
for (var i = 0; i < AuthenticationAttempts; i++)
{
var credential = Creds.GetOrAdd(AlgorithmType, a => new KerberosPasswordCredential(a + user, password));
var asReq = KrbAsReq.CreateAsReq(credential, DefaultAuthentication).EncodeApplication();
var message = new ReadOnlySequence <byte>(asReq);
KdcAsReqMessageHandler handler = new KdcAsReqMessageHandler(message, listener.Options);
var response = await handler.Execute();
Assert.IsNotNull(response);
if (DisplayProgress)
{
CountItOut(ref requestCounter);
}
}
}